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^ | Abstract: A (k, 5, e)-locally decodable code C : F™ — ► F^ is an error- correcting code that encodes 
■ each message x — (xi, x 2 , ■ ■ ■ , x n ) G F™ to a codeword C(x) G F^ and has the following property: For 
^ ■ any y G F^ such that d(y, C(x)) < 5N and each 1 < i < n, the symbol X{ of x can be recovered with 



probability at least 1— e by a randomized decoding algorithm looking only at k coordinates of y. The 



0> \ efficiency of a (k, 6, e)-locally decodable code C : F™ — > F^ is measured by the code length N and the 



number k of queries. For any /c-query locally decodable code C : F™ — > F^ , the code length N is con- 
jectured to be exponential of n, i.e., N = expfW^ 1 '), however, this was disproved. Yekhanin [In Proc. 
of STOC, 2007] showed that there exists a 3-query locally decodable code C : F2 — > F^ such that 
N = exp(n^ 1//loglos?1 - ) ) assuming that the number of Mersenne primes is infinite. For a 3-query locally 
iy. decodable code C : F£ -> F^, Efremenko [ECCC Report No.69, 2008] reduced the code length fur- 
■ ther to N = exp(n°^ loglogri / logn ) 1/2 )), and also showed that for any integer r > 1, there exists a k-que- 
! ry locally decodable code C : F™ -> Ff such that k < 2 r and N = eX p(n (( loglogn / logn ) 1 ~ 1/r )). In this 
\D ! paper, we present a query-efficient locally decodable code by introducing a technique of "composition 
I of locally decodable codes," and show that for any integer r > 1, there exists a fc-query locally decod- 
; able code C : F™ ^ F^ such that k < 3 • 2 r ~ 2 and N = eX p(n « loglogri / log ") 1 " 1/ '')). 

^ . Keywords: Locally Decodable Codes, S'-Matching Vectors, S"-Decoding Polynomials, Composition 

OO ! of Locally Decodable Codes, Perfectly Smooth Decoders, Private Information Retrieval. 
O ■ 

> : 

: 1 Introduction 

h ; 

. 5r , Conventional error-correcting codes C : F™ — > F^ allow one to encode any x = (x\, x 2 , ■ ■ ■ , x n ) G F™ 
to C(x) G F^ and have the following property: For any y G F^ such that d(y, C(x)) < 5N, the orig- 
inal message x can be recovered by looking at entire coordinates of y. If one is interested in recovering 
a single symbol Xi of x, more efficient schemes are possible. Such schemes are known as locally decoda- 
ble codes C : F™ -> F^ that allow recovery of any single symbol x« of x G F™ by looking only at k ran- 
domly chosen coordinates of y G F^ such that d(y, C{x)) < 5N. Informally, a (k, 5, e)-locally decod- 
able code C : F™ — > F^ is an error-correcting code that encodes each message x = (xi, x 2 , ■ ■ ■ , x n ) G 
F™ to a codeword C(x) G F^ and has the following property: For any y G F^ such that d(y, C(x)) < 
5N and each 1 < i < n, the symbol Xi of x can be recovered with probability at least 1 — e by a 
randomized decoding algorithm looking only at k coordinates of y. 

1.1 Known Results 

From theoretical and practical point of view, we are interested in designing a (k, 8, e)-locally decoda- 
ble code C : F™ — > as shorter N as possible and as smaller k as possible. The notion of locally de- 
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codable codes was considered in several contexts [2, 20, 18], and Katz and Trevisan [16] were the first 
to provide a formal definition of locally decodable codes and prove lower bounds for the code length. 
Gasarch [8] and Goldreich [10] conjectured that for a A;-query locally decodable code C : F™ — > 
with k > 1, the code length N is unavoidable to be the exponential of n, i.e., N = exp(n f7< - 1 - ) ). In Ta- 
ble 1, we summarize the known results on the code length for /c-query locally decodable codes. 



Table 1: Known Results on the Code Length 





Upper Bound 


Lower Bound 


2- Query 


exp (0(n)) 


[15] 


exp (Q(n)) [15] 


3-Query 


exp (n 1 / 2 ) 


[4] 


Cl in 2 ) [15, 23] 


/c-Query 


exp ^°^ oglogfe - > / fclogfc ) 


[5] 


n ( n i+i(r*/2i-i)) [i 5) 23] 



Yekhanin [25, 26] improved the upper bound for the code length of 3-query locally decodable codes to 
N = exp(n 1 / 32582657 ) and disproved the conjecture [8, 10] on the code length of 3-query locally decod- 
able codes, i.e., if there exist infinitely many Mersenne primes, then N = exp(n°( 1//loglogn )) for infi- 
nitely many n's. Very recently, Efremenko [7, Theorem 3.8] improved much further the upper bound 
for the code length of 3-query locally decodable codes to 

N = exp (exp (o (Vlogn • log log ra))) = exp ^((logiogn/iogn) 1 ^) j ^ 

by introducing the notions of S'-matching vectors [7, Definition 3.1] and S'-decoding polynomials [7, 
Definition 3.4] — this reduces the code length of 3-query locally decodable codes and removes the un- 
proven assumption that infinitely many Mersenne primes exist. For any k > 2, Efremenko [7, Theo- 
rem 3.6] also disproved the conjecture [8, 10] on the code length of /c-query locally decodable codes, 
and showed that for any r > 1, there exists a A;-query locally decodable code such that k < T and 

N = exp (exp (o ( \J\ogn ■ (log log n)^ 1 J J J = exp ^((logiogn/iogn) 1 - 1 /^ _ 



1.2 Main Result 

In this paper, we present an improved construction of a A;-query locally decodable code C : F™ — > F^, 
and show that for any r > 1, there exists a /c-query locally decodable code such that k < 3 • 2 r ~ 2 and 



N = exp ^exp yO yy logn • (loglogn) 7 * 

Our construction of the 3-2 r_2 -query locally decodable codes is partially based on the construction by 
Efremenko [7] . To reduce the number of queries, we introduce a technique of "composition of locally 
decodable codes." In fact, we show that for a A;x-query locally decodable code and a /c 2 -query locally 
decodable code, there exists a A;i/c2-query locally decodable code. Applying our technique of "compo- 
sition of locally decodable codes" to the 3-query locally decodable code [7, Theorem 3.8] and the 2 r ~ 2 - 
query locally decodable code [7, Theorem 3.6], a 3 • 2 r ~ 2 -query locally decodable code is achieved. 



= exp I n 



,0((log logra/ logn) 1 - 1/r ) N 
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1.3 Application of Locally Decodable Codes 

Locally decodable codes have many applications in complexity theory and cryptography (see, e.g., 
[21,8]). In particular, locally decodable codes are closely related to designing efficient private infor- 
mation retrieval. Informally, a /c-server private information retrieval is a protocol that consists of a 
user U and k databases VB\,VB 2 , ■ ■ ■ , T>Bk with identical data x = (xi,x 2 , • • • , x n ), where each data- 
base T>Bj does not communicate to any other database VBh, and allows the user U to retrieve Xi of x 
while any of the k databases VBi, VB2, ■ ■ ■ , VBk learns nothing about i. Private information retriev- 
al was introduced by Chor et al. [6], and the efficiency of a A;-server private information retrieval is 
measured by its communication complexity Ck(n), i.e., the total amount of bits exchanged between 
the user U and each of the k databases T>i, T> 2 , . . . , T>k- For further details on A;-server private infor- 
mation retrieval, see, e.g., [1, 17, 13, 14, 11, 15, 4, 3, 19, 24]. 



Table 2: Known Results on the Communication Complexity 





Upper Bound 


Lower Bound 


1-Server 


n+ 1 


[6] 


[6] 


2-Server 


n l/3 


[6, 12] 


51ogn [22] 


3-Server 


n O((log log n/ log n) 1 / 2 ) 


[7] 




4-Server 


n l/7.87 


[5] 




/c-Server 


n O(\og logfc/fclog k) 


[5] 





In Table 2, we summarize the known results on the communication complexity Cfc(n) for A;-server 
private information retrieval. In particular, Efremenko [7, Theorem 3.6] showed that a communica- 
tion-efficient /c-server private information retrieval exists for a specific k > 1, i.e., for any r > 1, there 
exists a /c-server private information retrieval such that k <2 r and C k (n) = n °(( lo s lo g n / lo g™) (r 1)/r ). 

2 Preliminaries 

2.1 Locally Decodable Codes 

We use F q to denote a finite field of q elements and d(x, y) to denote the Hamming distance of vectors 
x = (xi, Xii • • • , x n ) G F™ and y = (y±, y 2 , ■ ■ ■ , y n ) £ F™, i.e., the number of indices such that X{ 7^ t/j. 
For any integer a < b, we use [a, 6] to denote the set {a, a+1, . . . , b}. For any integer m > 1, let Z m = 
{0, 1, . . . , m - 1} and = {z e Z m : gcd(,2, m) = 1}. 

Definition 2.1 ([16]) ILe say i/iai C : F™ — > F^ is a (A:, <5, sr)-locally decodable code if for each i G 
[1, n], there exists a randomized decoding algorithm D t : F^ — > F q such that (1) for any message x = 
(xi,x 2 , ■ ■ ■ ,x n ) G F™ and any y G F^ such that d{C{x),y) < 5N, Pr[Dj(y) = xt\ > 1 — e; (2) i/ie 
algorithm Di makes at most k queries to y. 

We say that a (k, 5, e)-locally decodable code C is linear if C is linear over F g and is nonadaptive 
if for each % G [1, n], the decoding algorithm Di makes all its queries simultaneously. In this paper, we 
deal with only linear and nonadaptive (k, 5, e)-locally decodable codes. 
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Definition 2.2 ([21]) We say that C : F™ — »■ /tas a perfectly smooth decoder V = {A}?e[i.n] 
/or eac/i x6 FJ and eac/i i G [l,n], Pr[Dj(C(:r)) = Xj] = 1, anc? eac/i gnen/ made 6y t/ie random- 
ized decoding algorithm D i is uniformly distributed over [l,N]. 

Trevisan [21] observed that for a code C : F™ — > F^, if C has a perfectly smooth decoder and makes 
at most queries, then C is a (A;, 5, M)-locally decodable code. Thus in the rest of this paper, we use 
/c-query locally decodable codes instead of (k, 5, e)-locally decodable codes. 

2.2 S-Matching Vectors 

Let m > 1 and h > be integersDFor any x = (x 1 ,x 2 , . . . , Xh) G Z^ t and y = (y±, y 2 , ■ ■ ■ , y^) G Z^, 
we use (x,y) m to denote the inner product of f and y modulo m, i.e., 

h 

(x,y) m = ^xjyj (mod m). 

3=1 

Definition 2.3 ([7]) Let S C Z m \ {0} andU = {ui,u 2 , ■ ■ ■ ,u n } be a family of vectors, where vii G 
Zjj for each % G [l,n]. We say £aai a family U = {Hi, u 2 , . . . , u n } of vectors is S'-matching if 
(1) for each i G [l,n], (ui,Ui) m = 0; (2) for each i,j G [l,n] such that i ^ j, (ui,Uj) m G S. 

Let m = p^p 1 ^ 2 ■ • -Pr r be a product of r > 1 distinct primes. Define S m C Z m \{0} as follows: For each 
s G Z m \{0}, if either s = (mod p^) or s = 1 (mod p^) for each i G [r], then s G S' m . We refer to S m 
as the canonical set of the integer m = p e ip e 2 • • -Pr r ■ 

For each integer t G [0, T — 1], we use bin(t) = (t r _i, t r _2, • • • , t ) G {0, l} r to denote the binary 

representation of t, i.e., t = t r _i • 2 r_1 + t r _ 2 • 2 r ~ 2 H h t ■ 2°, and let s t G [0, m — 1] be an integer 

such that s t = t^_i (mod ) for each « G [1, r]. Thus from the definition of S m C Z m \{0}, it follows 
that S m = {si, S2 , S2>--i}, where s = and s 2 r-\ = 1. 

Lemma 2.1 ([9, Theorems 1.2 and 1.3]) Let m = p e ^p e 2 • ■ • p e r r be a product of r > 1 dis- 
tinct primes. Then there exists a constant c = c(m) > such that for every integer h > 0, 
there exists an explicitly constructible uniform set-system TC over the universe [l,h] that satisfies 
the following: 

(1) \n\ > exp (c^^) ; 

(2) for each H G T~i, \H\ = (mod m); 

(3) for any G,H G sncn t/iat G ^ H, there exists i G [1, 2 r — 1] such that \G fl H\ = Sj (mod m), 
where S m = {s\, s 2 , ■ ■ ■ , S2>-_i} is tae canonical set of m. 

For each ifj G H, let n*j = (n^i, u i2 , ■ ■ ■ , n^) G {0, l} h be the incidence vector of Hi, i.e., for each j G 
[1, h], Uij = 1 iff j G i/j. By Lemma 2.1, Efremenko [7] showed the following results: 

Lemma 2.2 ([7, Corollary 3.3]) Let m = p e \p e 2 ' • 'V e r r be a product of r > 1 distinct primes 
and S m be the canonical set of m. Then for any integer h > 0, there exists a family U = 
{Hi, u 2 , . . . , u n } of S m -matching vectors such that Ui G {0,1}^ C for each i G [n] and n > 
exD ( c (logfe) " ^ 
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2.3 S'-Decoding Polynomials 

To construct a (k, 5, e)-locally decodable codes of short length, the following lemma is useful. 

Lemma 2.3 ([7, Fact 2.4]) For any odd integer m > 1, there exist a finite field F 2 * with t G 
[1, m — 1] and an element 7 G F 2 « 0/ order m, i.e., 7™ = 1 and 7* 7^ 1 /or each i G [1, m — 1]. 

Let m = ' ' 'Pr r be a product of r > 1 distinct odd primes and 7 € F 2 * be an element given by 

Lemma 2.3. Efremenko [7] introduced a notion of .S-decoding polynomials, which plays a crucial role 
to construct a query-efficient locally decodable code. 

Definition 2.4 ([7, Definition 3.4]) For any S C Z m \ {0} ; we say iaai P(x) G F 2 *[x] is an S- 
decoding polynomial if (1) P(Y) = for each s E S; (2) P( 7 °) = P(l) = 1. 

Efremenko [7] showed that there exists an S'-decoding polynomial with a few monomials. 

Lemma 2.4 ([7, Claim 3.1]) For any odd integer m = p^p^ 2 ■ ■ -p 1 / with r > 1 and any S C 
Z m \ {0}, there exists an S-decoding polynomial P(x) with at most \S\ + 1 monomials. 

Remark 2.1 The number of monomials of an S-decoding polynomial is closely related to the number 
of queries of the corresponding locally decodable code. In fact, the number of monomials of an S- 
decoding polynomial is k iff the number of queries of the corresponding locally decodable code is k. 

Let m = p e iP S 2 ■ ■ -Pr r be a product of r > 1 distinct odd primes. It is immediate that \S m \ = 2 r — 1 
from the definition of the canonical set S m of m. Thus from Lemma 2.4, we have the following lemma: 

Lemma 2.5 ([7]) Let m = p^p^ 2 ■ ■ -p^ r be a product ofr > 1 distinct odd primes. Then there exists 
an S m -decoding polynomial P(x) with at most 2 r monomials. 

3 Known Construction for fc-Locally Decodable Codes 

We describe the construction of (k, 5, £)-locally decodable codes given by Efremenko [7]. 
3.1 Encoding 

Let m = p^p^ 2 ■ ■ ■ p e r r be a product of r > 1 distinct odd primes, 7 G F 2 « be an element determined by 
Lemma 2.3, and P(x) = ao+aix hl + • • ■+ak-\x bk - 1 e F 2 t [x] be an S^-decoding polynomial, where S m 
is the canonical set of m. For each i e [1, n], let e*j G FJ be the ith unit vector and iV = m h , where 



Let U = {Hi, n 2 , . . . , u n } be a family of SV^-matching vectors, where U{ G for each % G [1, n\. We 
define a code C : F^ t — > F^ as follows: For any x = {x\,x^, ■ ■ ■ ,x n ) G F^, let C(x) = xiC(ei) + 
x 2 C(e 2 ) + • • • + x n C(e n ), where for each % G [1, n], 



h = exp (VOogn) • (log log n)^ 1 )) 



= n 



0((loglogn/logn) 1 - 1 / r ) 



(1) 



C( 




(2) 
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Input 



A vector y G F^. 



Step 1: Choose v G Z^ uniformly at random. 

Step 2: Query y(v),y(v + biui), . . . , y(V + bk-iUi) G F 2 t, where denotes the symbol of ^ e 
indexed by 2 6 Z^. 

Step 3: Output ^ = 7-^^™ {a • y(v) + a x ■ y(v + biUi) H h a fc _i • + 6 fe _iWi)}. 



Figure 1: Decoding Algorithm 

3.2 Decoding 

For each j e [l,n], a randomized decoding algorithm Di : F^ — > F 2 * is defined as in Figure 1. 

Lemma 3.1 ([7, Lemma 3.5]) The decoding algorithm V = {Di}^^ is a perfectly smooth de- 
coder. 

To be self-contained, we show the proof of Lemma 3.1 in Appendix A. Thus from Lemmas 2.2 and 
2.5, we have the following result: 

Theorem 3.1 ([7, Theorem 3.6]) For any integer n > 1 and any integer r > 1, there exists a 
k-query locally decodable code C : F^ t — > F^ such that k < T and 

N = exp (^exp (o (jjlogn ■ (log log nf" 1 ^ = exp (Vw°gi° g n/iog„) 1 - 1 /'-) j _ 

4 Query- Efficient Locally Decodable Codes 
4.1 How to Reduce the Number of Queries 

By setting r = 2 in Theorem 3.1, it is immediate to see that for any integer n > 1, there exists a 4- 
query locally decodable code C : F^ — > F^ such that 

N = exp (exp (o [yjlogn ■ log log n))) = exp ( n o((i°gi°g«/i°g«) 1/2 ) j . (3) 

On the other hand, Efremenko [7, Example 3.7] found a surprising example: Let m = 511 = 2 9 — 1 = 
7 ■ 73 and S$u = {1, 365, 147}. For the integer m = 511, determine a finite field F 2 t and an element 
7 G F 2 t of order m = 511 by Lemma 2.3. Indeed, the finite field F 2 * is F 2 9 = F 2 [7]/(7 9 + 7 4 + l) and 
7 G F 2 9 is an element of order 511. For the integer m — 511, there exists an S^n-decoding polynomial 
P(x) = 7 423 -a: 65 +7 257 -a; 12 + 7 342 with 3 monomials, which implies that for any n > 1, there exists a 3- 
query locally decodable code C : F™ 9 — > F^, where TV is given by (3). 

The result above for the integer m — 511 is special. For an integer m = 15 = 2 4 — 1 = 3 • 5, let 
S15 = {1, 10, 6} and by Lemma 2.3, we take the finite field F 2 * to be F 2 4 = F 2 [7]/(7 4 + 7 + 1) and the 
element 7 G F 2 4 of order 15. By an exhaustive search, we can verify that for the integer m = 15, there 
does not exist an Sis-decoding polynomial with less than 4 monomials. From these observations, we 
see that it is impossible for every odd integer m = p^p^ 2 to have an S^-decoding polynomial with less 
than 4 monomials. Thus for an odd integer m = p^p^ 2 ■ ■ -p e r r ', we need to find structural properties 
of S^-decoding polynomials to reduce the number of queries to less than 2 r . 
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4.2 Building Blocks for Query-Efficient Locally Decodable Codes 



In this section, we present a new construction for query-efficient locally decodable codes of subexpo- 
nential length. A key idea of our construction is to generate a fci /^-locally decodable code by compos- 
ing a fci-locally decodable code and a /c 2 -locally decodable code. 

Let mi = p e ip e 2 ■ ■ ■ Pr r be a product of r > 1 distinct odd primes and m 2 = q^q^ 2 • • • q°l be a prod- 
uct of £ > 1 distinct odd primes. Assume that gcd(mi, m 2 ) = 1 in the rest of this paper and let m = 
mim 2 be a product of r + £ > 2 distinct odd primes. From Lemma 2.3, we know that (1) for the odd 
integer mi, there exist a finite field F 2 n with t\ G [1, mi — 1] and an element 71 G F 2 h of order mi; (2) 
for the odd integer m 2 , there exist a finite field F 2 t 2 with t 2 G [1, m 2 — 1] and an element 7 2 G F 2 t 2 of 
order m 2 ; (3) for the odd integer m = mim 2 , there exist a finite field F 2 * with £ G [1, m — 1] and an 
element 7 G F 2 * of order m. The following lemmas are crucial for our construction. 

Lemma 4.1 For the finite fields F 2 h , F 2 t 2; and¥ 2 t, the following holds: (1) F 2 t x is a subfield of F 2 t; 
(2) F 2 t 2 is a subfield o/F 2 *; (3) t = lcm(£i,£ 2 ). 

Proof: For the statement (1), it is immediate that F 2 n is a subfield of F 2 t iff t is divisible by t±. Note 
that t± G [1, mi — 1] is a minimum integer such that 2' 1 = 1 (mod mi) and t G [1, m — 1] is a minimum 
integer such that 2* = 1 (mod m). Assume that t is not divisible by ti, i.e., there exist q > 1 and 
< r < £1 such that t = gti + r. Since m = mim 2 , we have that 2* = 1 (mod mi). So from the fact 
that 2* 1 = 1 (mod mi), it follows that 1 = 2* = 2«* 1+r = (2* 1 ) 9 • 2 r = 2 r (mod mi). This contradicts 
the fact that t\ G [1, mi — 1] is a minimum integer such that 2' 1 = 1 (mod mi). Thus t is divisible by 
ti, which completes the proof of the statement (1). The proof of the statement (2) is analogous to 
that of the statement (1). The statement (3) follows from the statements (1) and (2) and the fact 
that t G [l,m — 1] is a minimum integer such that 2* = 1 (mod m). ■ 

For the finite field F 2 *! and the element 7 G F 2 t given by Lemma 4.1, the following claims hold: 
Claim 4.1 For every h G Z^ i7 ^ hm2 e F 2 *i is an element of order m\. 

Proof: Since 2* 1 = 1 (mod mi), there exists q > 1 such that 2* 1 — 1 = qm\. From the fact that 7 G 
F2 is an element of order m = mim 2 , we have that for every h G , 

which implies that 7 /l ™ 2 G F 2tl . It is immediate that = ( 7 «»i"w)h = ( 7 m ) ft = 1. By contra- 

diction, we show that for every h G Z^, the order of 7 /l ™ 2 e F 2 «i is m x Assume that there exists an 
/i G Z^ t ni such that the order of 'j hm2 is < i < mi, i.e., {^ hm2 Y = ^htm 2 _ ^_ Since the order of 7 G 
F 2 t is m, we have that htm 2 is divisible by m = mim 2 , i.e., W is divisible by m x . From the fact that 
h G Zj^ , it follows that I is divisible by mi, which contradicts the assumption that < I < mi. ■ 

Claim 4.2 /n the finite field F 2 *i , i/iere exis^ exactly |Z* t J elements of order mi. 

Proof: For an element <? G F 2 t x of order 2' 1 — 1, we have that ct = g( 2 * 1_1 )/ mi e F 2 *i is an element of 
order mi. So the mi elements a , a 1 , . . . , a mi ~ l are the set of all elements that satisfies x mi = 1. It is 
immediate that for each j G Z m , the order of a J is mi/ gcd(j, mi). This implies that in the finite field 
F 2 «i, there exist exactly |Z^J elements of order mi. ■ 

In a way similar to the proofs of Claims 4.1 and 4.2, we can also show the following claims for the 
finite field F 2 * 2 and the element 7 G F 2 t determined by Lemma 4.1. 
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Claim 4.3 For every h G Z^ 2 , ^ hmi G F 2 t 2 is an element of order m 2 . 
Claim 4.4 In the finite field F 2 t 2 , there exist | elements of order m 2 . 
From Claims 4.1, 4.2, 4.3, and 4.4, we can show the following lemma: 

Lemma 4.2 For the elements 71 G F 2 *i, 72 G F 2 i 2 , and 7 G F 2 t, the following holds: (1) iaere exists 
/ii G Z^ snc/i that 71 = 7 /lim2 ; (2) there exists h 2 G Z^ 2 such that 72 = 7 hami . 

Proof: The statement (1) immediately follows from Claims 4.1 and 4.2 and the statement (2) im- 
mediately follows from Claims 4.3 and 4.4. ■ 

Let S mi = {s\, si,..., s 2 r_J, S m2 = {sf, si,..., s 2 ^_J, and S m = {si, s 2 , . . . , s 2 r+e_ 1 } be the canon- 
ical sets of the integers mi, m 2 , and m, respectively, and let s\ = Sq = s — 0. 

Lemma 4.3 For the sets S mi , S m2 , andS m , the following holds: For any s G S m U{0}, (1) s G S m iff 
there exist sj G S mi U {0} and sf G S m2 U {0} suc/i t/iat s = s} (mod mi), s = sf (mod m 2 ) 7 and 
either s^ 7^ or sf 2 7^ 0; (2) s = i/f s = (mod mi) and s = (mod m 2 ). 

Proof: It follows from the definitions of 5 mi , S^, and and the Chinese Remainder Theorem. ■ 

4.3 Constructions for Query-Efficient Locally Decodable Codes 

For the integers mi, m 2 , and m and the integer h > given by (1), let Ni = m\, N 2 = m 2 , and N = 
m h , respectively. The following is essential to construct query-efficient locally decodable codes. 

Theorem 4.1 ((Composition Theorem)) LetC\ : F" tl — > F^ t \ be a £4- query locally decodable code 
that has an S mi -decoding polynomial P\(x) G F 2 ti[x] C F 2 t[x] with k\ monomials and C 2 : F™ t2 — > 
F^ 2 be a k 2 -query locally decodable code that has an S m2 -decoding polynomial P 2 (x) G F 2 t 2 [x] C 
F 2 t[x] with k 2 monomials. Then we can construct a k-query locally decodable code C : F^ t — > F^ 
that has an S m -decoding polynomial P(x) G F 2 t[x] with k monomials, where k < k\k 2 . 

Proof: For m = mim 2 and h given by (1), we define C : F™t — > F^ as follows: For any vector x = 
(x±,x 2 , . . . , x n ) G F 2 t, let C(x) = XiC(e 1 )+x 2 C(e 2 ) + - ■ •+x n C(e n ), where for each i G [1, n], C(e*j) is 
given by (2). For the integer hi G ZJ^ determined by Lemma 4.2- (1) and the integer h 2 G Z^ 2 deter- 
mined by Lemma 4.2-(2), let P(x) = Pi(x him2 ) ■ P 2 (x h2mi ). It is obvious that P(x) is a polynomial 
with k < k\k 2 monomials. Let P[x) = ao + a±x bl + • • • + ak~ix k ~ 1 . For each i G [1, n], a randomized 
decoding algorithm Di is defined exactly the same as Figure 1. For each i G [l,n], we have that 



Thus it suffices to show that Pr[A(C(e*)) = 1] = 1 f o r each i G [l,n] and Pr[D i (C(e J -)) = 0] = 1 for 
each j G [1, n] \ {i}. From (2), it follows that for queries v, v + OiW;, . . . , v + b k ^iUi G Z^, 



Di(C(x)) 



A(xiC(ei) + x 2 C(e 2 ) + ■■■ + x n C(e n )) 
xiA(C(ei)) + x 2 A(C(e 2 )) + • • • + x„A(C(e n )). 



A(C(ei)) 
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A(C(e,)) 



= 7" 


{Ui,v)m 




• • + a fc _i7^> mfc - 




= 7~ 


(ui,v) m 




"* + ••• + a fc -i7 ( " J 




= 7" 






• + a fc _i7 6fc - 1< " i ' 3j 


)m ^ 


= 7" 


(Ui,v)m 








= 7" 


(Ui,v) m 


^(Uj,V)m . p^ ^im2(«i,M 3 )mj . P 2 






= 7" 


{iti,v) m 


7 <«i,iOm . p x /^>%'M . p 2 /^l 


1 ' 





(4) 



where (4) follows from Lemma 4.2. Since W = {Hi, u 2 , ■ ■ ■ , n n } is a family of 5 m -matching vectors, we 
have that (ui, Uj) m G S m . Thus from Lemma 4.3, it follows that there exist G S" mi U {0} and s 2 2 G 
S' m2 U{0} such that (uj, t?j) m = (mod mi), (wj, u,-) m = s 2 , (mod m 2 ), and either sj ^ or s 2 2 7^ 0. 
Recall that 71 G F 2 *i is an element of order mi, 72 G F 2 t 2 is an element of order m 2 ; -Pi (a;) is an S mi - 
decoding polynomial; P 2 (x) is an 5 m2 -decoding polynomial. Then from (4), we have that 



Pi 7i 



(ui,Uj) r 



p i 7i 



\/ P 2 ( 



(Ui,Uj)r 

72 



ft 7i 



0. 



Thus it follows that A(C(e^)) = 1 for each % G [1, n] and A(C(ej)) = for each j G [1, n] \ {%). ■ 

Corollary 4.1 ((to Theorem 4.1)) For any integer n > 1 and any integer r > 1, there ex- 
ists a k- query locally decodable code C : 



F^ such that k < 3 • 2 r " 2 and 



N = exp ^exp ^ \J\ogn ■ (loglogn) r x ^ ^ 



exp l n 



0((log logn/ log 



Proof: Efremenko [7, Example 3.7] showed that for an odd integer mi = 511 = 7-73, there exists a 3- 
query locally decodable code C\ : F" tl — > F^ that has an S^-decoding polynomial Pi(x) G F 2 *i [x] 
with 3 monomials. For any integer r > 1, we take m 2 = p^p^ 2 • • 'P^-i that is a product of r — 2 dis- 
tinct odd primes such that gcd(mi, m 2 ) = 1, and let m = mim 2 . Efremenko [7, Theorem 3.6] also de- 
rived that for any integer r > 1, there exists a /c 2 -query locally decodable code C\ : F™ tl — > F^ that 
has an S' m2 -decoding polynomial ft(x) G F 2 t 2 [x] with A; 2 monomials, where k 2 < 2 r . So from The- 
orem 4.1, we can construct a /c-query locally decodable code C : F^ — > that has an S^-decoding 
polynomial P(x) G F 2 t[x] with k monomials, where k < 3 • 2 r_2 . ■ 



5 Concluding Remarks 

In this paper, we have shown the Composition Theorem that constructs a /ci/c 2 -query locally decoda- 
ble code by composing a /ci-query locally decodable code and a /c 2 -query locally decodable code (see 
Theorem 4.1) and in Corollary 4.1, we have also shown that for any integer r > 1, there exists a k- 
query locally decodable code C : F^ — > F^ such that < 3 • 2 r ~ 2 and 



N = exp |^exp yO yy logn • (loglogn) r 
For perfectly smooth decoders, we can immediately modify Theorem 4.1 as follows: 



jjj = exp (n 



0((loglogn/ logn) 1 - 1 / 1 -)" 
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Theorem 5.1 Let d : F£ tl -> F$ 6e a fej -query locally decodable code with a perfectly smooth 
decoder T> 1 that has an S mi -decoding polynomial P\{x) G F 2 n[^] Q F 2 t[x] with ki monomials and 
C 2 : F™i 2 — > F^ be a k 2 -query locally decodable code with a perfectly smooth decoder T>2 that has an 
S m2 -decoding polynomial P 2 (x) £ F 2 t 2 [x] C F 2 *[x] to£/j fc 2 monomials. Then we can construct a It- 
query locally decodable code C : FJ — > F^ with a perfectly smooth decoder V that has an S m -decoding 
polynomial P(x) G F 2 t[x] with k monomials, where k < k x k 2 . 

From Theorem 5.1 and the transformation [21] from a /c-query locally decodable codes with a perfect- 
ly smooth decoder to /c-server private information retrieval, we can show the following theorem: 

Theorem 5.2 For any integer n > 1 and any integer r > 1, there exists a k- server private informa- 
tion retrieval such that k<3- 2 r ~ 2 and C k (n) = ^((logiogn/kW- 1 ^) _ 

At present, we know only a 3-query locally decodable code F™ 9 — > F^ such that 
N = exp (exp (o ( ^log n • log log n) ) ) = exp ^((logiogn/iogn) 1 ^) j ^ 

for an add integer m = 511 = 2 9 = 7-73 [7, Example 3.7]. Let M. r be a set of integers, each of which 
is a product of r > 1 distinct odd primes. From the Composition Theorem (see Theorem 4.1), it fol- 
lows that if there exist mi, m 2 , . . . , me G M. 2 such that gcd(mj, mj) = 1 for each 1 < i < j < £ and 
each mi G M. 2 generates a 3-query locally decodable code Ci : F^ t . — > F^. that has an S mi - decoding 
polynomial Pi(x) G F 2 *i[x] with less than 4 monomials, where 

N = exp (exp (o {^logn ■ log log ra))) = exp ( n o(0°gi°g«/i°g™) 1/2 ) j ? 

then for the integer m = m\m 2 ■ ■ ■ me, we can construct a A;-query locally decodable code C : F 2t — > 
F^ that has an S^-decoding polynomial P(x) G F 2 t [x] with fc monomials, where k < 3 £ and 

N = exp (exp (o ( 2 {/\og n ■ log log ra) ) ) = exp (^((logiogn/iogn) 1 " 1 ^) j ? 

however, we do not know such integers m 1; m 2 , . . . , rra^ G .M 2 exist other than m — 511 & A4 2 . Thus 
the following problems are both of theoretical interest and of practical importance. 

(1) Find integers m G M 2 \ {511} that generate a 3-query locally decodable code C : F 2t — > 
i.e., the code C has an Sm-decoding polynomial P(x) G F 2 t[x] with less than 4 monomials. 

(2) For any integer r > 2, find an integer m G .M r that generate a /c-query locally decodable code 
C : F"t — > F^ that has an ^-decoding polynomial P(x) G F 2 *[x] with k < 3-2 r ~ 2 monomials. 
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A Proof of Lemma 3.1 

For each % G [1, n], it is obvious that each of queries v,v + b\Ui, . . . ,v + bk-\U.i G Z^ is uniformly dis- 
tributed over [1, N}. So for any vector x = (xi, x 2 , . . . , x n ) G F£ t , we show that Pr[A(C0*0) = Xj\ = 
1 for each i G [l,n]. Since C(x) = x\C{e\) +x 2 C(e 2 ) + • • •+x n C(e n ), we have that for each i G [l,n], 

Di(C{x)) = D i (x 1 C(e 1 )+x 2 C(e 2 ) + --- + x n C(e n )) 

= x, A(C(ei)) + x 2 D i (C(e 2 )) + ■■■ + x n A(C(e n ))- 

Thus it suffices to show that Pr[A(C(e;)) = 1] = 1 for each % G [l,n] and Pr[A(C(e i )) = 0] = 1 for 
each j G [1, n\ \ {i}. From (2), it follows that for queries v, v + b\Ui, . . . ,v + bk-iUi G Z^, 

A(C(ei)) = 7-^™ • (a j { ^ m + ai -i { ^ +hA)m + ■■■ + a fc _i7 <fi * ><r+6fc - 1<ri>m ) 
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= a + a l7 bl< " l '* >m + • • • + afc-n^- 1 ^'^" 1 

= p( 7 <*A>"*) ; (5) 



A(C(3)) 



= 7" 


-{Hi,v) m 


■ (a 0l ^^ m + a^^+bi^U + 


ha fc . 


-i7 ( " J 


,v+b k _ 




= 7" 


-{Ui,v)m 


• (a 7 <3 ^ m + ai7^' ,/>m 7 fel< " l '^ ; 


>m _|_ . . . 


+ a k - 


-11^ 




= 7" 


-{Ui,v)m 


• 7 <"^™ ■ (a + a l7 fel( " l '^ >m + • 






1 {u i ,Uj 


>m ) . 


= 7" 


-{Ui,v)m 













(6) 



Since W = {ui, u 2 , ■ ■ ■ , u n } is a family of S^-matching vectors, we have that (ili, Ui) m = for each i e 
[1, n] and (-Uj, Wj) m = s^- G S* m C Z m \{0} for each i, j e [1, n] such that 2 7^ j, and from the definition 

of S'm-decoding polynomial P(x) = a + aix bl H hafc-irr^- 1 , we have that p( 7 ("*'"*>™) = p(l) = 1 

for each i e [l,n] and P( 7 ^'"j>™) = P( 7 s *j) = for each i, j e [l,n] such that i 7^ j. 

Thus it follows from (5) that A(C(e*)) = P(7< 3 *' 3i > m ) = P(l) = 1 for each i e [l,n], and it fol- 
lows from (6) that A(C(e})) = ry-{ui,v) m . ry{uj,v) m . p( 7 s y) = for each i,j e [1, n] such that i 7^ j. 
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